--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: 634760 $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<modulesynopsis metafile="mod_session_crypto.xml.meta">
+
+<name>mod_session_crypto</name>
+<description>Session encryption support</description>
+<status>Extension</status>
+<sourcefile>mod_session_crypto.c</sourcefile>
+<identifier>session_crypto_module</identifier>
+
+<summary>
+ <note type="warning"><title>Warning</title>
+ <p>The session modules make use of HTTP cookies, and as such can fall
+ victim to Cross Site Scripting attacks, or expose potentially private
+ information to clients. Please ensure that the relevant risks have
+ been taken into account before enabling the session functionality on
+ your server.</p>
+ </note>
+
+ <p>This submodule of <module>mod_session</module> provides support for the
+ encryption of user sessions before being written to a local database, or
+ written to a remove browser via an HTTP cookie.</p>
+
+ <p>This can help provide privacy to user sessions where the contents of
+ the session should be kept private from the user, or where protection is
+ needed against the effects of cross site scripting attacks.</p>
+
+ <p>For more details on the session interface, see the documentation for
+ the <module>mod_session</module> module.</p>
+
+</summary>
+<seealso><module>mod_session</module></seealso>
+<seealso><module>mod_session_cookie</module></seealso>
+<seealso><module>mod_session_dbd</module></seealso>
+
+ <section id="basicusage"><title>Basic Usage</title>
+
+ <p>To create a simple encrypted session and store it in a cookie called
+ <var>session</var>, configure the session as follows:</p>
+
+ <example><title>Browser based encrypted session</title>
+ Session On<br />
+ SessionCookieName session path=/<br />
+ SessionCryptoPassphrase secret
+ </example>
+
+ <p>The session will be encrypted with the given key. Different servers can
+ be configured to share sessions by ensuring the same encryption key is used
+ on each server.</p>
+
+ <p>If the encryption key is changed, sessions will be invalidated
+ automatically.</p>
+
+ <p>For documentation on how the session can be used to store username
+ and password details, see the <module>mod_auth_form</module> module.</p>
+
+ </section>
+
+<directivesynopsis>
+<name>SessionCryptoPassphrase</name>
+<description>The key used to encrypt the session</description>
+<syntax>SessionCryptoPassphrase <var>secret</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoPassphrase</directive> directive specifies the key
+ to be used to encrypt the contents of the session before writing the session, or
+ decrypting the contents of the session after reading the session.</p>
+
+ <p>Keys are more secure when they are long, and consist of truly random characters.
+ Changing the key on a server has the effect of invalidating all existing sessions.</p>
+
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCryptoCertificateFile</name>
+<description>The certificate used to encrypt and decrypt the session</description>
+<syntax>SessionCryptoCertificateFile <var>file</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoCertificateFile</directive> directive specifies the name
+ of a certificate to be used to encrypt the contents of the session before writing
+ the session, or decrypting the content of the session after reading the session.</p>
+
+ <p>Changing the certificate on a server has the effect of invalidating all existing
+ sessions.</p>
+
+ <note type="warning"><title>Experimental</title>
+ <p>This directive is dependent on experimental support for assymetrical encryption
+ support currently available in prerelease versions of OpenSSL, and will only be
+ available on platforms that support it.</p>
+ </note>
+
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCryptoCertificateKeyFile</name>
+<description>The certificate key used to encrypt and decrypt the session</description>
+<syntax>SessionCryptoCertificateKeyFile <var>file</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoCertificateKeyFile</directive> directive specifies the name
+ of a certificate key to be used alongside a certificate to encrypt the contents of the
+ session before writing the session, or decrypting the content of the session after reading
+ the session.</p>
+
+ <p>Changing the certificate or key on a server has the effect of invalidating all existing
+ sessions.</p>
+
+ <note type="warning"><title>Experimental</title>
+ <p>This directive is dependent on experimental support for asymmetrical encryption
+ support currently available in prerelease versions of OpenSSL, and will only be
+ available on platforms that support it.</p>
+ </note>
+
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCryptoCipher</name>
+<description>The name of the cipher to use during encryption / decryption</description>
+<syntax>SessionCryptoCipher <var>cipher</var></syntax>
+<default>AES256</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoCipher</directive> directive specifies the name
+ of the cipher to use during encryption. The ciphers available will depend on the
+ underlying encryption toolkit on the server platform.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCryptoDigest</name>
+<description>The name of the digest to use during encryption / decryption</description>
+<syntax>SessionCryptoDigest <var>cipher</var></syntax>
+<default>SHA</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoDigest</directive> directive specifies the name
+ of the digest to use during encryption. The list of digests available will depend
+ on the underlying encryption toolkit on the server platform.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCryptoEngine</name>
+<description>The name of the engine to use during encryption / decryption</description>
+<syntax>SessionCryptoEngine <var>engine</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoEngine</directive> directive specifies the name
+ of the engine to use during encryption, depending on the capabilities of the
+ underlying encryption toolkit on the server platform.</p>
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>
--- /dev/null
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define CORE_PRIVATE
+
+#include "mod_session.h"
+#include "apu_version.h"
+#include "apr_base64.h" /* for apr_base64_decode et al */
+#include "apr_ssl.h" /* for apr_*_encrypt et al */
+#include "apr_lib.h"
+#include "apr_strings.h"
+#include "http_log.h"
+
+#define LOG_PREFIX "mod_session_crypto: "
+#define DEFAULT_CIPHER "AES256"
+#define DEFAULT_DIGEST "SHA"
+
+module AP_MODULE_DECLARE_DATA session_crypto_module;
+
+/**
+ * Structure to carry the per-dir session config.
+ */
+typedef struct {
+ const char *passphrase;
+ int passphrase_set;
+ const char *certfile;
+ int certfile_set;
+ const char *keyfile;
+ int keyfile_set;
+ const char *cipher;
+ int cipher_set;
+ const char *digest;
+ int digest_set;
+ const char *engine;
+ int engine_set;
+} session_crypto_dir_conf;
+
+/**
+ * Initialise the encryption as per the current config.
+ *
+ * Returns APR_SUCCESS if successful.
+ */
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
+static apr_status_t crypt_init(request_rec * r, apr_evp_factory_t ** f, apr_evp_crypt_key_e * key, session_crypto_dir_conf * conf)
+{
+ apr_status_t res;
+
+ if (!conf->certfile_set && !conf->keyfile_set && !conf->passphrase_set) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, LOG_PREFIX
+ "encryption not configured, "
+ "no passphrase or certfile/keyfile set");
+ return APR_EGENERAL;
+ }
+
+ /* set up */
+ if (conf->certfile_set) {
+ *key = APR_EVP_KEY_PUBLIC;
+ res = apr_evp_factory_create(f, conf->keyfile, conf->certfile, NULL,
+ NULL, NULL, conf->digest, APR_EVP_FACTORY_ASYM, r->pool);
+ if (APR_ENOTIMPL == res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "generic public/private key encryption is not supported by "
+ "this version of APR. session encryption not possible");
+ }
+ }
+ if (conf->passphrase) {
+ *key = APR_EVP_KEY_SYM;
+ res = apr_evp_factory_create(f, NULL, NULL, conf->cipher,
+ conf->passphrase, NULL, conf->digest, APR_EVP_FACTORY_SYM, r->pool);
+ if (APR_ENOTIMPL == res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "generic symmetrical encryption is not supported by this "
+ "version of APR. session encryption not possible");
+ }
+ }
+ if (APR_STATUS_IS_ENOCIPHER(res)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "the cipher '%s' was not found", conf->cipher);
+ }
+ if (APR_STATUS_IS_ENODIGEST(res)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "the digest '%s' was not found", conf->digest);
+ }
+ if (APR_STATUS_IS_ENOCERT(res)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "the public and private key could not be extracted from "
+ "the certificates");
+ }
+ if (APR_STATUS_IS_ENOENGINE(res)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "the engine '%s' was not found", conf->engine);
+ }
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "encryption could not be configured. Please check the "
+ "certificates and/or passphrase as appropriate");
+ apr_evp_factory_cleanup(*f);
+ return APR_EGENERAL;
+ }
+
+ return APR_SUCCESS;
+}
+#endif
+
+/**
+ * Encrypt the string given as per the current config.
+ *
+ * Returns APR_SUCCESS if successful.
+ */
+static apr_status_t encrypt_string(request_rec * r, const char *in, char **out)
+{
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
+ apr_status_t res;
+ apr_evp_factory_t *f = NULL;
+ apr_evp_crypt_t *e = NULL;
+ apr_evp_crypt_key_e key;
+ unsigned char *encrypt = NULL;
+ apr_size_t encryptlen, tlen;
+ char *base64;
+
+ session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_crypto_module);
+
+ /* don't attempt to encrypt an empty string, trying to do so causes a segfault */
+ if (!in || !*in) {
+ return APR_SUCCESS;
+ }
+
+ res = crypt_init(r, &f, &key, conf);
+ if (res != APR_SUCCESS) {
+ return res;
+ }
+
+ res = apr_evp_crypt_init(f, &e, APR_EVP_ENCRYPT, key, r->pool);
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "encryption could be configured but not initialised");
+ apr_evp_factory_cleanup(f);
+ return res;
+ }
+
+ /* encrypt the given string */
+ res = apr_evp_crypt(e, &encrypt, &encryptlen, (unsigned char *) in, strlen(in));
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "attempt to encrypt failed");
+ apr_evp_factory_cleanup(f);
+ apr_evp_crypt_cleanup(e);
+ return res;
+ }
+ res = apr_evp_crypt_finish(e, encrypt + encryptlen, &tlen);
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "attempt to finish the encryption failed");
+ apr_evp_factory_cleanup(f);
+ apr_evp_crypt_cleanup(e);
+ return res;
+ }
+ encryptlen += tlen;
+
+ /* base64 encode the result */
+ base64 = apr_pcalloc(r->pool, apr_base64_encode_len(encryptlen + 1) * sizeof(char));
+ apr_base64_encode(base64, (const char *) encrypt, encryptlen);
+ *out = base64;
+
+ /* clean up afterwards */
+ apr_evp_factory_cleanup(f);
+ apr_evp_crypt_cleanup(e);
+
+ return res;
+
+#else
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX
+ "crypto is not supported by APR on this platform");
+ return APR_ENOTIMPL;
+#endif
+}
+
+/**
+ * Decrypt the string given as per the current config.
+ *
+ * Returns APR_SUCCESS if successful.
+ */
+static apr_status_t decrypt_string(request_rec * r, const char *in, char **out)
+{
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
+ apr_status_t res;
+ apr_evp_factory_t *f = NULL;
+ apr_evp_crypt_t *e = NULL;
+ apr_evp_crypt_key_e key;
+ unsigned char *decrypted = NULL;
+ apr_size_t decryptedlen, tlen;
+ apr_size_t decodedlen;
+ char *decoded;
+
+ session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_crypto_module);
+
+ res = crypt_init(r, &f, &key, conf);
+ if (res != APR_SUCCESS) {
+ return res;
+ }
+
+ res = apr_evp_crypt_init(f, &e, APR_EVP_DECRYPT, key, r->pool);
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "decryption could be configured but not initialised");
+ apr_evp_factory_cleanup(f);
+ return res;
+ }
+
+ /* strip base64 from the string */
+ decoded = apr_palloc(r->pool, apr_base64_decode_len(in));
+ decodedlen = apr_base64_decode(decoded, in);
+ decoded[decodedlen] = '\0';
+
+ /* decrypt the given string */
+ res = apr_evp_crypt(e, &decrypted, &decryptedlen, (unsigned char *) decoded, decodedlen);
+ if (res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "decrypt: attempt to decrypt failed");
+ return res;
+ }
+ *out = (char *) decrypted;
+
+ res = apr_evp_crypt_finish(e, decrypted + decryptedlen, &tlen);
+ if (APR_SUCCESS != res) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "attempt to finish the decryption failed");
+ apr_evp_factory_cleanup(f);
+ apr_evp_crypt_cleanup(e);
+ return res;
+ }
+ decryptedlen += tlen;
+ decrypted[decryptedlen] = 0;
+
+ return APR_SUCCESS;
+
+#else
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX
+ "crypto is not supported by APR on this platform");
+ return APR_ENOTIMPL;
+#endif
+}
+
+
+/**
+ * Crypto encoding for the session.
+ *
+ * @param r The request pointer.
+ * @param z A pointer to where the session will be written.
+ */
+AP_DECLARE(int) ap_session_crypto_encode(request_rec * r, session_rec * z)
+{
+
+ char *encoded = NULL;
+ apr_status_t res;
+ session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_crypto_module);
+
+ if (conf->passphrase_set || conf->certfile_set) {
+ res = encrypt_string(r, z->encoded, &encoded);
+ if (res != OK) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, LOG_PREFIX
+ "encrypt session failed");
+ return res;
+ }
+ z->encoded = encoded;
+ }
+
+ return OK;
+
+}
+
+/**
+ * Crypto decoding for the session.
+ *
+ * @param r The request pointer.
+ * @param z A pointer to where the session will be written.
+ */
+AP_DECLARE(int) ap_session_crypto_decode(request_rec * r, session_rec * z)
+{
+
+ char *encoded = NULL;
+ apr_status_t res;
+ session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_crypto_module);
+
+ if ((conf->passphrase_set || conf->certfile_set) && z->encoded) {
+ res = decrypt_string(r, z->encoded, &encoded);
+ if (res != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
+ "decrypt session failed, wrong passphrase?");
+ return res;
+ }
+ z->encoded = encoded;
+ }
+
+ return OK;
+
+}
+
+
+
+
+static void *create_session_crypto_dir_config(apr_pool_t * p, char *dummy)
+{
+ session_crypto_dir_conf *new =
+ (session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));
+
+ /* default cipher AES256-SHA */
+ new->cipher = DEFAULT_CIPHER;
+ new->cipher_set = 1;
+
+ new->digest = DEFAULT_DIGEST;
+ new->digest_set = 1;
+
+ /* initialise SSL */
+ apr_ssl_init();
+
+ return (void *) new;
+}
+
+static void *merge_session_crypto_dir_config(apr_pool_t * p, void *basev, void *addv)
+{
+ session_crypto_dir_conf *new = (session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));
+ session_crypto_dir_conf *add = (session_crypto_dir_conf *) addv;
+ session_crypto_dir_conf *base = (session_crypto_dir_conf *) basev;
+
+ new->passphrase = (add->passphrase_set == 0) ? base->passphrase : add->passphrase;
+ new->passphrase_set = add->passphrase_set || base->passphrase_set;
+ new->certfile = (add->certfile_set == 0) ? base->certfile : add->certfile;
+ new->certfile_set = add->certfile_set || base->certfile_set;
+ new->keyfile = (add->keyfile_set == 0) ? base->keyfile : add->keyfile;
+ new->keyfile_set = add->keyfile_set || base->keyfile_set;
+ new->cipher = (add->cipher_set == 0) ? base->cipher : add->cipher;
+ new->cipher_set = add->cipher_set || base->cipher_set;
+ new->digest = (add->digest_set == 0) ? base->digest : add->digest;
+ new->digest_set = add->digest_set || base->digest_set;
+ new->engine = (add->engine_set == 0) ? base->engine : add->engine;
+ new->engine_set = add->engine_set || base->engine_set;
+
+ return new;
+}
+
+static const char *check_file(cmd_parms * cmd, const char **file)
+{
+ apr_finfo_t finfo;
+ const char *filepath = ap_server_root_relative(cmd->pool, *file);
+
+ if (!filepath) {
+ return apr_pstrcat(cmd->pool, cmd->directive->directive,
+ ": Invalid file path ", *file, NULL);
+ }
+ if (apr_stat(&finfo, filepath,
+ APR_FINFO_TYPE | APR_FINFO_SIZE, cmd->pool) != 0 ||
+ finfo.filetype != APR_REG || finfo.size <= 0) {
+ return apr_pstrcat(cmd->pool, cmd->directive->directive,
+ ": File empty or missing ", *file, NULL);
+ }
+ *file = filepath;
+
+ return NULL;
+}
+
+static const char *set_crypto_passphrase(cmd_parms * cmd, void *config, const char *passphrase)
+{
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->passphrase = passphrase;
+ conf->passphrase_set = 1;
+ return NULL;
+}
+
+static const char *set_crypto_certificate_file(cmd_parms * cmd, void *config, const char *file)
+{
+ const char *res = check_file(cmd, &file);
+ if (!res) {
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->certfile = file;
+ conf->certfile_set = 1;
+ }
+ return res;
+}
+
+static const char *set_crypto_certificate_keyfile(cmd_parms * cmd, void *config, const char *file)
+{
+ const char *res = check_file(cmd, &file);
+ if (!res) {
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->keyfile = file;
+ conf->keyfile_set = 1;
+ }
+ return res;
+}
+
+static const char *set_crypto_cipher(cmd_parms * cmd, void *config, const char *cipher)
+{
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->cipher = cipher;
+ conf->cipher_set = 1;
+ return NULL;
+}
+
+static const char *set_crypto_digest(cmd_parms * cmd, void *config, const char *digest)
+{
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->digest = digest;
+ conf->digest_set = 1;
+ return NULL;
+}
+
+static const char *set_crypto_engine(cmd_parms * cmd, void *config, const char *engine)
+{
+ session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;
+ conf->engine = engine;
+ conf->engine_set = 1;
+ return NULL;
+}
+
+
+static const command_rec session_crypto_cmds[] =
+{
+ AP_INIT_TAKE1("SessionCryptoPassphrase", set_crypto_passphrase, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The passphrase used to encrypt cookies"),
+ AP_INIT_TAKE1("SessionCryptoCertificateFile", set_crypto_certificate_file, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The name of a certificate whose public key will be used to encrypt cookies"),
+ AP_INIT_TAKE1("SessionCryptoCertificateKeyFile", set_crypto_certificate_keyfile, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The name of a private key which will be used to decrypt cookies"),
+ AP_INIT_TAKE1("SessionCryptoCipher", set_crypto_cipher, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The cipher used to encrypt cookies. Defaults to " DEFAULT_CIPHER),
+ AP_INIT_TAKE1("SessionCryptoDigest", set_crypto_digest, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The digest used to encrypt cookies. Defaults to " DEFAULT_DIGEST),
+ AP_INIT_TAKE1("SessionCryptoEngine", set_crypto_engine, NULL, RSRC_CONF|OR_AUTHCFG,
+ "The optional engine used to encrypt cookies, if supported by the underlying crypto "
+ "toolkit"),
+ {NULL}
+};
+
+static void register_hooks(apr_pool_t * p)
+{
+ ap_hook_session_encode(ap_session_crypto_encode, NULL, NULL, APR_HOOK_LAST);
+ ap_hook_session_decode(ap_session_crypto_decode, NULL, NULL, APR_HOOK_FIRST);
+}
+
+module AP_MODULE_DECLARE_DATA session_crypto_module =
+{
+ STANDARD20_MODULE_STUFF,
+ create_session_crypto_dir_config, /* dir config creater */
+ merge_session_crypto_dir_config, /* dir merger --- default is to
+ * override */
+ NULL, /* server config */
+ NULL, /* merge server config */
+ session_crypto_cmds, /* command apr_table_t */
+ register_hooks /* register hooks */
+};
projects / apache / commitdiff